R
rajatpandey1977
Guest
Customer wants to connect to SSL enabled SqlServer from PowerCenter installed on Suse Linux. They are using DataDirect ODBC driver for this purpose. Connecting to secure SSL enabled SqlServer is supported by DataDirect SqlServer ODBC driver. Customer is able to establish the connectivity but following is the issue, To connect to SSL enabled SqlServer the client (ODBC driver in this case) needs to get the server (SqlServer) certificates and store it in a trust store and use it to connect to the server. In this case server certificate is not just one certificate but is a chain of certificates consisting of one root certificate and couple of intermediate server certificates. In this case the root certificate is a certificate signed by a certifying authority. When there is a certificate chain all the certificates in it has to be honored. Even if one certificate is missing from the client, the connectivity should not go through. This is the expectation from customer. But using the DataDirect ODBC driver to connect to SSL enabled SqlServer the connection goes through if just the root certificate is present in client’s (ODBC drivers) trust store. The odbc driver does not take the intermediate certificate into account at all. Even if the intermediate certificates are taken out of the ODBC drivers trust store the connectivity is established to the server by just using/trusting the root certificate. According to customer this compromises the security as the root certificate issued by the certifying authority can be same for different application and the trust should be established based on root and other intermediate server certificates in the chain as well. We opened a case with DataDirect ( 00314812) and the following is what they had to say, “After doing some further research and talking to our Engineering we found that currently if the driver finds a proper root certificate for Authentication it will not look for the server certificate, if you want this behavior to change then you may request an enhancement through the Progress Community via an Ideas submission. Your feedback is valuable and Idea submissions are monitored by our Product Management team. Enhancement requests are reviewed during the planning phase of each new product release and a list of the enhancements chosen for implementation can be found in the Readme.txt file that accompanies each release. Once you have submitted your Idea the Progress Software Community will have the opportunity to comment on and vote for your Idea. “ Why is it critical : According to customer they will not be able to connect to the SqlServer in question without functionality they are looking for as it will compromise the security and they cannot clear the compliance in J&J “all certificate in chain” part is explained as part of the User scenario.
Continue reading...
Continue reading...